[Thursday, September 21th is the latest of 5 updates.]
When I wrote “The Breach Response Market Is Broken,” I didn’t expect one of the players to validate everything I had to say. What I said was that the very act of firms contracting with breach response services inhibit the creation of a market for breach response, and the FTC should require them to give vouchers to consumers.
Vice Motherboard is reporting that “Firm Hired to Monitor Data Breaches Is Hacked, 143 Million Social Security Numbers Stolen.”
It’s not clear what database was accessed. On their website, Equifax says “No Evidence of Unauthorized Access to Core Consumer or Commercial Credit Reporting Databases” and “Company to Offer Free Identity Theft Protection and Credit File Monitoring to All U.S. Consumers.”
But here’s the thing; I don’t trust Equifax to protect data that … they just failed to protect. I want protection from an independent firm.
Equifax’s self-dealing in providing breach response services is unfair. No rational, well-informed consumer would select Equifax’s service in this situation. Equifax’s offering of credit file monitoring to all US consumers is also an unfair trade practice, which undercuts innovation, and limits the ability of new entrants to deliver effective services.
The FTC should require Equifax to send a voucher to each impacted individual which can be used to purchase any identity theft protection service on the market as of August, 2017.
Usually I don’t try to blog fast moving stories, but I may make an exception.
Update 1, later that day:
- Jeremiah Grossman points out: “As we’ve seen, breaches often negatively impact stocks (1-10%). We also know prices quickly bounce back. If we’re really smart, we’d buy.” I wonder — will this impact their business substantially? Probably revenue will be unaffected; costs may go up, not in the sense of notification (they’re not bothering to mail you a letter) or breach response costs, but in expenses around computer security: software, staff, subscriptions, which may depress profitability over time if most of the new expenses are a new normal after an FTC consent decree.
- Brian Krebs has context and history.
- Bloomberg reports that “Three Equifax Managers Sold Stock Before Cyber Hack Was Revealed.” “None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.”
Update 2, Sept 9:
- The International Business Times reports “Equifax Lobbied To Kill Rule Protecting Victims Of Data Breaches.” They report Equifax wrote “a rule blocking companies from forcing their customers to waive class action rights would expose credit agencies ‘to unmanageable class action liability that could result in full disgorgement of revenues’ if companies are found to have illegally harmed their customers.” It’s a nice life, having the government block your victims from suing you, especially if you’re worried that the harm is great enough to result in ‘full disgorgement of revenues.’ Now, you might argue that’s hyperbole, but maybe it’s a real fear.
- The Onion reports “Equifax Impressed By Hackers’ Ability To Ruin People’s Finances More Efficiently Than Company Can.”
- Equifax once brought me to a Nine Inch Nails concert, and under the payola rules, I ought to have disclosed that when writing about them. It was over a decade ago, and had slipped my mind.
Update 3, Sept 12:
- TechCrunch reports “no matter what, Equifax may tell you you’ve been impacted by the hack,” even for random last name and SSN combos. Maybe that’s not trying to drive anxiety, but their data really is that bad? (Thanks to Joey Gray for the pointer.)
- Patrick McKenzie has a long article on what to do when a bank issues credit to someone they think is you, “Identity Theft, Credit Reports, and You.”
Update 4, September 16:
- Lawmakers: The Democrats of the House Committee on Energy and Commerce sent Equifax a letter, as did Senators Hatch and Wyden, (Hatch/Wyden Letter), and 30 state attorneys general, “States Call On Equifax To Halt Marketing Of Its Paid Credit Monitoring Service.”
- In other legislative news, “Sen. Elizabeth Warren slams Equifax and introduces bill to ban fees for freezing credit.”
- Someone tried to report the PIN generation issue over a year ago.
- Equifax’s CEO makes statements intended to reassure in USA Today, including “We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” but they don’t seem to have reported that claim to their shareholders via an 8K. (The one I see at the SEC, filed September 7, says “it’s too early to tell.”)
- Reporters: Bob Sullivan has a “what now.” I respect Bob as a consumer-centric reporter, and he’s covered these issues for a while. I’m quoted in Howstuffworks’s “After the Equifax Breach, Does Credit Fraud Monitoring Really Help?”
- The public has still not been told what database was accessed.
Update 5, September 21:
- “Equifax Has Been Sending Consumers to a Fake Phishing Site for Almost Two Weeks.” I believe that Gizmodo means either “a phishing site” or “a fake, phishing site,” because the site to which Equifax was directing people was not theirs.
- Equifax’s former Chief Privacy Officer posted “Understanding the Equifax Data Breach,” including an explanation of why the breach was likely consumer dispute information.